Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - antineo


  • This topic is locked This topic is locked
9 replies to this topic

#1 antineo

antineo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 05 January 2005 - 08:26 PM

I'm italian and i don't speak english very well.. hope you can understand me.

Hello. First post here..

every time I type an non existing url in Internet explorer, I go to
http://vv1.i1.topx.cc/index.php?aid=20038
instead of going to auto.serach.msn........

I've followed your instructions and downloaded HJT.
My log file is:

Logfile of HijackThis v1.99.0
Scan saved at 2.23.48, on 06/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
d:\Avast4\aswUpdSv.exe
d:\Avast4\ashServ.exe
d:\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
d:\Avast4\ashMaiSv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Avast4\ashDisp.exe
D:\HP\HP Software Update\HPWuSchd.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
D:\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
E:\internet\mail\thunderbird-0.5-win32\thunderbird\thunderbird.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
F:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [HP Software Update] "D:\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
O8 - Extra context menu item: Pagine simili - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\DAP\DAP.EXE
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.ansi.org/ansionline/Portal/r...rces/msddsc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programmi\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Unknown - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - d:\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - d:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Avast4\ashMaiSv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall - Kerio Technologies - d:\Kerio\Personal Firewall\persfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Please help me, my pc is going very well except for this... :-)
If you reply to my post, please write in a very easy english!
Tnx.

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:04 PM

Posted 06 January 2005 - 01:39 PM

Did you remove anything with hijackthis ? There is nothing suspect in your log.

RESTART your machine.

Please download and run Silent Runners.vbs: http://www.silentrunners.org/

If you have a script blocking program you will get a warning asking if you want to allow Silent Runners.vbs to run. Allow the script to run.

Post the log please and a new hijackthis log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 antineo

antineo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 January 2005 - 05:51 PM

Thank you very much.
I've not removed anything from hjt.

I've downloaded and run Silent Runners.vbs and this is the log:


"Silent Runners.vbs", revision 29, launched at: 23:45
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"ATIPTA" = "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"avast!" = "d:\Avast4\ashDisp.exe" [null data]
"HP Software Update" = ""D:\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> resolves to: {CLSID}\InprocServer32\(Default) = "D:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "d:\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> resolves to: {CLSID}\InprocServer32\(Default) = "c:\windows\googletoolbar.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Estensione panoramica video del Pannello di controllo"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> CLSID InProcServer32 resolves to: "d:\IZArc\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> CLSID InProcServer32 resolves to: "d:\IZArc\IZArcCM.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> CLSID InProcServer32 resolves to: "d:\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "d:\K-Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> CLSID InProcServer32 resolves to: "d:\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "AtiExtEvent\DLLName" = "Ati2evxx.dll" ["ATI Technologies Inc."]


Startup items in "marco" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
"HP Digital Imaging Monitor" -> shortcut to: "D:\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""d:\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""d:\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""d:\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
Kerio Personal Firewall, PersFw, ""d:\Kerio\Personal Firewall\persfw.exe"" ["Kerio Technologies"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]
SmartLinkService, SLService, "slserv.exe" [" "]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


Is it ok?

#4 antineo

antineo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 January 2005 - 05:53 PM

ops.. you asked for a new HJT logfile.
Here it is:



Logfile of HijackThis v1.99.0
Scan saved at 23.52.58, on 07/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
d:\Avast4\aswUpdSv.exe
d:\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
d:\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
d:\Avast4\ashMaiSv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Avast4\ashDisp.exe
D:\HP\HP Software Update\HPWuSchd.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\ctfmon.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
F:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [HP Software Update] "D:\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm
O8 - Extra context menu item: Pagine simili - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\DAP\DAP.EXE
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.ansi.org/ansionline/Portal/r...rces/msddsc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programmi\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Unknown - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - d:\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - d:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Avast4\ashMaiSv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall - Kerio Technologies - d:\Kerio\Personal Firewall\persfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:04 PM

Posted 07 January 2005 - 07:06 PM

Download Find It NT-2K-XP.zip.

Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files. Let it finish. It could take 5 - 10 minutes.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 antineo

antineo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 January 2005 - 08:06 PM

Yes, here it is.
Thanks a lot for your time.



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: F:\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Il volume nell'unitů C non ha etichetta.
Numero di serie del volume: 7850-A49D

Directory di C:\WINDOWS\System32

05/01/2005 21.10 <DIR> dllcache
29/07/2004 23.14 <DIR> Microsoft
05/04/2001 18.43 94.208 msstkprp.dll
1 File 94.208 byte
2 Directory 1.751.896.064 byte disponibili

------- Hidden Files in System32 Directory -------

Il volume nell'unitů C non ha etichetta.
Numero di serie del volume: 7850-A49D

Directory di C:\WINDOWS\System32

05/01/2005 21.10 <DIR> dllcache
23/06/2004 13.10 488 logonui.exe.manifest
23/06/2004 13.10 488 WindowsLogon.manifest
23/06/2004 13.10 749 nwc.cpl.manifest
23/06/2004 13.10 749 sapi.cpl.manifest
23/06/2004 13.10 749 ncpa.cpl.manifest
23/06/2004 13.10 749 wuaucpl.cpl.manifest
23/06/2004 13.10 749 cdplayer.exe.manifest
7 File 4.721 byte
1 Directory 1.751.896.064 byte disponibili

------------ Files Named "Guard" ---------------

Il volume nell'unitů C non ha etichetta.
Numero di serie del volume: 7850-A49D

Directory di C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Il volume nell'unitů C non ha etichetta.
Numero di serie del volume: 7850-A49D

Directory di C:\WINDOWS\System32

10/09/2002 13.00 2.885 CONFIG.TMP
1 File 2.885 byte
0 Directory 1.751.896.064 byte disponibili

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avast!"="d:\\Avast4\\ashDisp.exe"
"HP Software Update"="\"D:\\HP\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Programmi\\HP\\hpcoretech\\hpcmpmgr.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:04 PM

Posted 08 January 2005 - 08:15 PM

Did you run Ad-Aware and Spybot Search and Destroy ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 antineo

antineo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 January 2005 - 08:33 PM

Sure, both but not recently.
I'm running SpyBot search & D. at this moment.
I'll write you in a minute.
Where are you from?

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:04 PM

Posted 08 January 2005 - 09:14 PM

Download and install VX2 Cleaner.

Open Ad-Aware, go to Add-ons, click the Tools tab and select VX2 Cleaner. Press the Run Tool button.

REBOOT your machine.


Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:04 PM

Posted 29 January 2005 - 07:51 AM

Due to the lack of feedback this topic is closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users